building-threat-intelligence-enrichment-in-splunk

# Building Threat Intelligence Enrichment in Splunk ## Overview Splunk's Threat Intelligence Framework in Enterprise Security enables SOC teams to automatically correlate indicators of compromise (IOCs) against security events. The framework ingests threat feeds, normalizes indicators into KV Store collections, and uses lookup-based correlation searches to flag matching events. Splunk Threat Intelligence Management centralizes collection, normalization, and enrichment from multiple sources, reducing triage time by providing analysts with immediate context. ## When to Use - When deploying or configuring building threat intelligence enrichment in splunk capabilities in your environment - When establishing security controls aligned to compliance requirements - When building or improving security architecture for this domain - When conducting security assessments that require this implementation ## Prerequisites - Splunk Enterprise Security (ES) 7.x or later - Threat Intelligence Management add-on or Threat Intelligence Framework - API keys for external threat intelligence feeds (MISP, OTX, VirusTotal, AbuseIPDB) - KV Store enabled and properly configured - Admin access for modular input configuration ## Threat Intelligence Framework Architecture ``` External TI Sources (STIX/TAXII, CSV, API) | v Modular Inputs (download and parse feeds) | v KV Store Collections (normalized IOC storage) |-- ip_intel |-- domain_intel |-- file_intel |-- url_...